From bfe4163f17d1c0fcf7167ebea0885d30b4a95ca1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 7 Jan 2016 12:33:11 +1300 Subject: [PATCH] ntlm_auth: Allow --password force a local password check for ntlm-server-1 mode Signed-off-by: Andrew Bartlett Reviewed-by: Garming Sam --- source3/utils/ntlm_auth.c | 82 ++++++++++++++++++++++++++++----------- 1 file changed, 60 insertions(+), 22 deletions(-) diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index 4878aa15cd0..b90f9277c75 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -2175,7 +2175,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod uchar lm_key[8]; uchar user_session_key[16]; uint32_t flags = 0; - + NTSTATUS nt_status; if (full_username && !username) { fstring fstr_user; fstring fstr_domain; @@ -2190,29 +2190,67 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod domain = smb_xstrdup(fstr_domain); } - if (!domain) { - domain = smb_xstrdup(get_winbind_domain()); - } + if (opt_password) { + DATA_BLOB nt_session_key, lm_session_key; + struct samr_Password lm_pw, nt_pw; + TALLOC_CTX *mem_ctx = talloc_new(NULL); + ZERO_STRUCT(user_session_key); + ZERO_STRUCT(lm_key); + + nt_lm_owf_gen (opt_password, nt_pw.hash, lm_pw.hash); + nt_status = ntlm_password_check(mem_ctx, + true, true, 0, + &challenge, + &lm_response, + &nt_response, + username, + username, + domain, + &lm_pw, &nt_pw, + &nt_session_key, + &lm_session_key); + error_string = smb_xstrdup(get_friendly_nt_error_msg(nt_status)); + if (ntlm_server_1_user_session_key) { + if (nt_session_key.length == sizeof(user_session_key)) { + memcpy(user_session_key, + nt_session_key.data, + sizeof(user_session_key)); + } + } + if (ntlm_server_1_lm_session_key) { + if (lm_session_key.length == sizeof(lm_key)) { + memcpy(lm_key, + lm_session_key.data, + sizeof(lm_key)); + } + } + TALLOC_FREE(mem_ctx); - if (ntlm_server_1_lm_session_key) - flags |= WBFLAG_PAM_LMKEY; - - if (ntlm_server_1_user_session_key) - flags |= WBFLAG_PAM_USER_SESSION_KEY; - - if (!NT_STATUS_IS_OK( - contact_winbind_auth_crap(username, - domain, - lp_netbios_name(), - &challenge, - &lm_response, - &nt_response, - flags, 0, - lm_key, - user_session_key, - &error_string, - NULL))) { + } else { + if (!domain) { + domain = smb_xstrdup(get_winbind_domain()); + } + + if (ntlm_server_1_lm_session_key) + flags |= WBFLAG_PAM_LMKEY; + + if (ntlm_server_1_user_session_key) + flags |= WBFLAG_PAM_USER_SESSION_KEY; + + nt_status = contact_winbind_auth_crap(username, + domain, + lp_netbios_name(), + &challenge, + &lm_response, + &nt_response, + flags, 0, + lm_key, + user_session_key, + &error_string, + NULL); + } + if (!NT_STATUS_IS_OK(nt_status)) { x_fprintf(x_stdout, "Authenticated: No\n"); x_fprintf(x_stdout, "Authentication-Error: %s\n.\n", error_string); } else { -- 2.34.1